OpenClaw 2026-04-04 Code Update: Token Security Hardening and Cron Model Isolation
Overview
This update (20 commits) includes no new Release but brings three critical security fixes and one SDK enhancement. Focus areas: Token scope security, Cron task model isolation, and Gateway auth simplification.
Direct Impact on Our Setup
1. Token Scope Fixes (3 commits, HIGH priority)
- [7d22a16] fix: bound bootstrap handoff token scopes
- [3f1b270] fix: preserve cached device token scopes safely
- [056c087] fix(gateway): preserve stored scopes when reconnecting with device token
Scope: Gateway auth layer + Memory Service credential management
Impact on us:
- Our
memory-systemskill stores sensitive credentials via device tokens (domain=system) - Previously, token reconnection could drop scope permissions, degrading credential access
- Post-fix: Device token scopes are safely preserved on reconnect;
curl http://localhost:18800/factsmaintains full permissions - Action: Apply immediately; no AGENTS.md changes needed
2. Cron Model Isolation (1 commit, HIGH priority)
- [16e7e25] fix(cron): prevent agent default model from overriding cron payload model
Scope: reminder skill cron job execution
Impact on us:
- Our
reminderskill uses cron for scheduled tasks (daily recall, weekly reminders) - Previously, agent default models could override cron payload model specs, causing wrong LLM selection
- Post-fix: Cron payload model assignments are respected and not overridden
- Action: Check
skills/reminder/SKILL.mdfor explicitmodelfields in cron configs
3. Gateway Auth Refactor (1 commit, LOW risk)
- [3758a0c] refactor(gateway): simplify connect auth parsing
Impact: Cleaner auth parsing; no breaking changes for our systemd native deployment
4. SDK Schema Export (1 commit, forward-looking)
- [33e6a7a] feat(plugin-sdk): export OpenClawSchema via plugin-sdk/config-schema
Impact: Future skill development is simplified; no impact on existing 18 skills
5. Docs Refresh (8 commits, reference only)
All documentation syncs—no runtime impact.
Upgrade Steps
Priority: HIGH. Apply immediately.
- Trigger
openclaw-updaterskill to pull all 20 commits and restart Flask backend - Verify token scopes:
curl -s http://localhost:18800/facts - Test reminders:
curl -s http://localhost:18800/reminders/today - Monitor Flask logs:
journalctl -u oc-api -f
Summary
Critical security fixes for token persistence and cron model isolation. Apply immediately; zero breaking changes for our setup.